The final stage of a successful risk management strategy that follows the ISO 31000 framework is to continuously monitor and review the appropriateness of the risk criteria, analysis, treatment, and the framework itself.
A comprehensive risk strategy involves continuous evaluation as the organisation evolves. It could be that reviews are performed annually, monthly, or weekly – it’s up to the leadership to determine the review and reporting requirements of the accountable individuals involved in delivering and monitoring risk processes.
Clause 6.6: Monitor and Review
As with all Standards within the higher Annex SL framework, the concept of Plan, Do, Check, Act applies to the risk management strategy an organisation creates under ISO 31000. An integral part of ensuring continuous quality and improvement in process, efficiency, and output is to monitor strategic goals and performance on a regular basis.
When a risk has changed, for example, an external factor such as the exchange rate has impacted upon trade, the risk treatment needs review. But the whole risk strategy needs to be considered as a constantly evolving element as the objectives of an organisation change over time.
A review process should include all stakeholders, internal and external, to ensure a holistic input into the ongoing shaping of the risk management processes.
Clause 6.7: Recording and Reporting
The full risk management process needs to be recorded and reported to:
- Ascertain the organisation’s stance on risk culture, appetite, and tolerance
- Communicate effectively to all stakeholders at key stages
- Deliver clear data on the effectiveness of risk treatment plans
- Improve engagement with stakeholders and draw on feedback
- Provide valuable information for decision making across the organisation
Reporting timeframes and performance metrics are to be determined at an early stage of the strategy development, to manage expectations of stakeholders and ensure timely and appropriate information gathering.
Reports should consider information such as the audience type, data sensitivity, and how the data relates to overall objectives and goals of the organisation.
That’s it! You’ve come to the end of your ISO 31000 Toolkit. Don’t worry – there are plenty more resources available here: Business Case Toolkit.